Aboubacar Diawara | Senior Product Manager, Workforce IAM
More About This Author >
Aboubacar Diawara | Senior Product Manager, Workforce IAM
More About This Author >
TL;DR:
- With the majority of breaches resulting from stolen credentials, many organizations are shifting toward phishing-resistant, FIDO2 MFA
- Some forms of MFA are still vulnerable to attacks like man-in-the-middle (MITM) or adversary-in-the-middle (AITM) and MFA prompt-bombing
- Device-bound passkeys are a great enterprise option because they only store private keys on the trusted device, require a biometric element, can be accessed right from a phone, and are easy to manage with an IdP
Identity has become the primary attack surface in the enterprise.
Credential theft continues to drive the majority of breaches, and attackers are getting more effective at bypassing traditional defenses. Phishing kits are widely available. Deepfake technology makes helpdesk social engineering all the more convincing. MFA fatigue attacks are easy to execute. MITM techniques can intercept credentials and session tokens in real time. And all of this is only further accelerated by AI, making the same old attack techniques faster, and more effective.
At the same time, organizations are under pressure from regulators to not only adopt phishing-resistant authentication, but to drive 100% adoption and accountability across their workforce and third-party identities. Doing this at an enterprise scale is no easy feat.
The problem usually comes down to balancing convenience (what users actually adopt) and security (what prevents attacks).
The Problem: Traditional MFA Still Relies on Shared Secrets
Multi-factor authentication (MFA) improved security, but it didn’t fundamentally change the model of authentication.
Most MFA methods still depend on something that can be captured, replayed, or socially engineered, such as:
- Passwords
- One-time passcodes (OTP)
- Push approvals
That leaves gaps:
- Phishing pages can capture credentials and OTPs
- MFA prompt-bombing attacks exploit human behavior
- Session hijacking bypasses authentication entirely
Even with MFA in place, the system still relies on reusable shared secrets moving across networks and devices that can be intercepted by an attacker.
From Shared Secrets to Cryptographic Authentication
An organization becomes phishing-resistant by eliminating reusable shared secrets used for authentication, which is what FIDO2 passkeys achieve.
Instead of transmitting credentials:
- A private key is generated and stored securely on one trusted device
- Authentication happens locally, with user verification (ideally, biometric)
There’s nothing reusable for an attacker to steal, making it phishing-resistant authentication.
But even within the category of phishing-resistant FIDO2 authentication, there’s a lot to choose from; all having different use cases and benefits.
What Are Device-Bound Passkeys?
A device-bound passkey is a FIDO2 credential that is:
- Created on a specific device or authenticator
- Stored securely on that device
- Not synced, exported, or copied anywhere else
A device-bound passkey is cryptographically tied to a single device and cannot leave it. Authentication is then completed by unlocking the device, typically with biometrics, which allows the private key to be used locally.
What Makes Device-Bound Passkeys Phishing Resistant?
Device-bound passkeys eliminate the failure points of traditional authentication:
- No passwords to phish
- No OTPs to intercept
- No push approvals to spam
- No shared secrets transmitted over the network
Device-Bound vs. Synced Passkeys
As passkeys have evolved, two models have emerged:
Synced Passkeys
- Stored in cloud ecosystems
- Replicated across devices
- Optimized for individual convenience
Device-Bound Passkeys
- Stored on a single device or authenticator
- Not replicated or synced
- Optimized for assurance and control
The Tradeoff
| Device-Bound Passkeys | Synced Passkeys | |
| Storage | Single device | Cloud-synced |
| Security | Very high | High |
| Attack surface | Minimal | Broader |
| Enterprise control | Strong | Limited |
For the scale of enterprise authentication, security and usability are extremely important. But so are governance and control. While synched passkeys are still a good option, most organizations—especially those in regulated industries—can’t tolerate the risk that comes with distributing access across devices and ecosystems.
Why Are Enterprises Prioritizing Device-Bound Passkeys?
Enterprise environments operate under different constraints than on an individual basis.
You’re securing:
- Thousands (if not millions) of identities across employees, partners, and customers
- Critical systems and infrastructure
- Sensitive business and customer data
Which is why assurance, control, and policy enforcement remain a priority at this scale and level of complexity.
Device-bound passkeys with enterprise policy enforcement support that by:
Reducing Credential Exposure
Credentials remain on a single device, limiting where they can be attacked.
Resisting Modern Attack Techniques
They are inherently resistant to phishing, MFA prompt-bombing, and man-in-the-middle (MITM) attacks.
Enabling Higher Assurance
Authentication is tied to both the trusted user and their device, not just a credential.
Supporting Compliance
They align with growing regulatory requirements for phishing-resistant MFA.
Improving Policy Control
Enterprises can enforce which devices and authentication methods are allowed depending on the context of the access event.
Where Device-Bound Passkeys Fit in Practice
Most organizations aren’t enforcing MFA for the first time but rather growing in their MFA maturity. Security teams aren’t ripping and replacing outdated methods, but layering in stronger authentication where it drives the most impact:
- Workforce & third-party access
- VPN and remote access
- Privileged users
- Sensitive applications
At the same time, they still need to support:
- Legacy systems
- Mixed authentication methods
- Existing workflows and user journeys
Bringing It Together with MobilePASS+
SafeNet MobilePASS+ doesn’t just “support passkeys” in a generic sense. It operates as a device-based authenticator and passkey manager, that flexibly offers a range of other MFA methods (i.e. push OTP, PIN verification) depending on risk and access scenario.
What It Actually Does (Technically)
- Acts as a passkey manager on the device, meaning it can create and manage passkeys locally rather than relying on consumer cloud ecosystems
- Supports device-bound passkeys using FIDO2, enabling phishing-resistant authentication tied to that specific trusted device
- Enables passkey enrollment via QR code or browser-based flows, which allows users to self-provision credentials without interrupting their existing login flow
- Uses the device’s biometric capabilities (e.g., fingerprint, Face ID) to unlock and use the private key during authentication
Why That Matters in Practice
This model gives enterprises something they typically don’t get with other passkeys:
- Control over where the credential lives (on the device, not in a personal cloud account)
- A managed authenticator experience that can be governed by access policies through an identity provider
- Flexibility to support multiple methods (passkeys, push, OTP) in a single app for different assurance levels, workflows, and fallback scenarios
In reality, most organizations need to support both:
- High-assurance, phishing-resistant authentication (like device-bound passkeys)
- Fallback or legacy methods (OTP, push) for coverage and resilience
MobilePASS+ seamlessly connects these two environments, offering convenience to most users who probably have their phone handy. If someone chooses not to—or is unable to—use their phone for authentication, a FIDO2 device might be a more suitable option.
The Bottom Line
While the industry's reliance on shared secrets is exploitable by attackers, device-bound passkeys are proving to deliver an optimal mix of security assurance and user convenience. Their implementation ensures robust protection and gives individuals greater control. For enterprises operating in regulated or high-risk environments, governance remains equally vital alongside security. As organizations transition to phishing-resistant, passwordless authentication, device-bound passkeys managed by authenticators like MobilePASS+ stand out as the practical and reliable solution.